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Security Testing Challenges 


Limited security assessment 
scope and capabilities 


Red Team operations 


can get expensive 
are not scalable 


lack completeness 
across the enterprise 


Lack of confidence in the 
effectiveness of security control 
and investments 


Blue Teams struggle to 


e verify that security 
controls are configured 
correctly 


e evaluate the impact of 
new attacks on their 
security controls 
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9 Qualys. Enterprise 


Breach and Attack Simulation DASHBOARD SCANS ASSETS CAMPAIGNS mdani (admin271) 
Qualys — 
Filter by Asset Tags | | Last 30 days | Last refreshed 2 minutes ago ο 


Breach & Attack TOTAL ASSETS BREACHED 
Simulation 


AVAILABLE CAMPAIGNS TECHNIQUES 


263 


943 À 85.72% ae — យ - 


TACTICS OVERVIEW BY FAILING TECHNIQUES 


Playbook library of real-world Ls NP 


Li 
TTPs (MITRE ATT&CK™) ឈេ :: E ῇ u B A E E 


Scale security assessments mm cms 
across the entire enterprise 
1.1K rota Application Shimming 165 | High | 
iid អ Exploit Public-Facing Application 84 [| High |] 
ន = το Lagon Srp : Lm 
Continuously measure SRE —_—— 
security control effectiveness 


over time 


a 


22 weakness.exploit.msword.phish Jan 01, 2018 55 
Total 
e exploit. compliance.eternalblue Feb 15, 2018 84 
Complete 12 


@ Running 4 weakness.compliance.password.reuse Jun 02, 2018 £ 
9 Scheduled 6 
exploit vulnerability.drupalgeddon2 Aug 23, 2018 73 


eo 


eo 
e 


Technical DN 


Approach = 
cat <file» 
agent <id> 


Centralized command-and- 


unzip <file> 
download <url> 
upload <url> 


control framework using 
Cloud Agent 


execute <command> 


Agents function as human Lapeer: 


survey 


adversaries cleanup 


Initial Access: 
T1196 - drupalgeddon2 
T1190 - apachestruts 


Non-destructive T TPs or live 
exploits 


Execution: 


T1035 - psexec 
T1191 - cmstp 
T1173 - windde 


Persistence: 


Qualys Breach and Attack Simulation (v0.1) 


Description 


Show contents of a file 

Connect to an agent 

List connected agents 

Show this help menu 

Kill an active agent connection 
List files in current directory 
Get current working directory 
Unzip a file 

Download a file from the asset 
Upload a file to the asset 


Show IP-MAC pairs from system ARP table 

Execute a command on the asset 

Scan and show status for top 1024 TCP ports on the asset 
Collect metadata about the asset 

Cleanup all traces of agent from the asset 

Exit the current agent connection 


Run the Drupalgeddon2 exploit 
Run the Apache Struts S2-057 exploit 


Run Psexec for command execution 
Run CMSTP.exe with a malicious .inf file for file execution 
Use DDE to run arbitrary commands 


»»» use 1 
[+] Opening up live session with agent #1 (192.168.1.100) 
(agent #1) >>> drupalgeddon2 
Please provide a URL for a public facing Drupal webapp (https://corpdomain.tld/blog): 
U . [20/Nov/2018] 13:54:50 PM [STATUS]: Testing for T1190: Exploit Public-Facing Application 

Se oes [20/Nov/2018] 13:54:50 PM [T1190][INFORMATION]: Found public facing Drupal web host: https://corpdomain. 
tld/blog 1 
[20/Nov/2018] 13:54:50 PM [T1190][INFORMA 


Takeover of external-facing ENS 


[20/Nov/2018 


|: Drupal 7.46 detected via https://corpdomain.tld/blog/CHA 


13:54:50 PM [T1190][INFORMA 2 ]: Successfully exploited using Drupalgeddon2 exploit - CVE 


-2018-7600 
assets [20/Nov/2018] 13:54:51 PM [T1190] [INFORMATION]: Dropped file: sda32fds.exe (SHA1: {47848θ94ς1{21{6{892{2 
7b8b6a7ed2bbf8c29g) 
[26/Νον/2618] 13:54:52 PM [STATUS]: Waiting for connection from sda32fds.exe 
Drupalgeddon2 (CVE-2018-7600) [20/Nov/2018] 13:54:52 PM [STATUS]: Connection received on TCP 32282 
[26/Nov/2018] 13:54:53 PM [STATUS]: Process infromation sda32fds.exe (SHA1: f47a48094c1f21fef892f27b8b6a 
7ed2bbf8c29g) 
1 [20/Nov/2018] 13:54:54 PM [INFORMATION]: Current QAttack agent privileges: user 

Remote system discovery [20/Nov/2018] 13:54:55 PM [SYSTEMINFO]: Currently logged on user: CORP/user1 

[28/Nov/2818] 13:54:55 PM [SYSTEMINFO]: Operating system: Windows 7 SP1 (OS Build 6.1.7601) 
: sy: 20/Nov/2018] 13:54:55 PM [SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 

Exploit Drupal vulnerability to πε 13:54:56 ΡΜ τν μοι Installed memory (RAM): 12.0 GB à 
[20/Nov/2018] 13:54:57 PM [SYSTEMINFO]: System type: 64-bit Operating System, x64-based processor 

control system [20/Nov/2018] 13:54:58 PM [SYSTEMINFO]: Locale: EN-US 
[20/Nov/2018] 13:54:58 PM [SYSTEMINFO]: Computer name: THINKPAD-111991-M710 

j 20/Nov/2018] 13:54:59 PM [SYSTEMINFO]: Full computer name: T-111991-M710.corp.domain.com 

Laterally spread using ETERNALBLUE er 13:55:00 PM pellis Domain: tom desi cee i 
[20/Nov/2018] 13:55:01 PM [SYSTEMINFO]: Anti Virus installed: Yes 
[20/Nov/2018] 13:55:02 PM [SYSTEMINFO]: Anti Virus detected: Symantec Endpoint Protection Small Business 
Edition 3.00.30.2232 
[20/Nov/2018] 13:55:02 PM [ST 3 : 71018: Found 3 neighbors using discovery module 
[26/Νον/2618] 13:55:03 PM [INSPSQRECONFIG]: Found SMB vi enabled on 192.168.1.101 
[20/Nov/2018] 13:55:04 PM [STATUS]: Testing for T1210: Exploitation of Remote Services 
[20/Νον/2018] 13:55:05 PM [EXPLOITSUGGESTER]: Launching ETERNALBLUE module against 192.168.1.101 
[26/Nov/2018] 13:55:06 PM [T1218][INFORMATION]: Module ETERNALBLUE in progress 
[28/Nov/2618] 13:55:07 PM [EXPLI]: Sent 308B shellcode 
[20/Νον/2018] 13:55:07 PM [EXP 3 |: Module ETERNALBLUE successful. 
[20/Nov/2018] 13:55:08 PM [LATERALMOVEMENT]: Pivoting from 192.168.1.100 to 192.168.1.101 via Module ETE 
RNALBLUE 
[20/Nov/2018] 13:55:09 PM [EXPOIT]: QAttack agent copy sent to 192.168.1.101 
[20/Nov/2018] 13:55:10 PM [INFORMATION]: QAttack agent information: sdfwe3223d.exe (SHA1: e41a48094c1f21 
fef892F27b8b6a7ed2bbfec29¢g) 
[20/Nov/2018] 13:55:10 PM [STATUS]: All tests complete. 


(agent #1) >>> 


—— E —— 
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Live View: Drupalgeddon2 


Q Search... 
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Assets 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 
Scan: Drupalgeddon2 100 


Campaign: exploit.vulnerability.drupalgeddon2 50 ΒΗ EE m ΕΞ [πι 
Status: InProgress Β΄. 2696 


0 


TACTICS _ —e 


Initial Access 192.168.1.104 


Execution P 7 
Persistence d ps di 192.168.1.103 
Privilege Escalation / f Ph | .. - 

Defense Evasion 

ឃ 6more IP: 192.168.1.100 


" Hostname:  https;//corpdomain.tld 
STATUS 3 ន្ត - — x Username: CORP/administrator 


Breached d 10216811 Processor AMD ThreadRipper 1980x 
Safe 


Privileges: administrator 
Error 


OPERATING SYSTEM Usus យ 

Windows 2012 Server "3l 192.168.1.105 

Windows Server 2012 R2 

Windwos Server 8.1 

Windows 7 SP1 

Windows 10 ENTERPRISE 192.168.1.110 


ee | Breached | 192.168.1.101  THINKPAD-98689-M710 


[11/10/2018] 10:01:27 AM [STATUS]: Testing for 1 of 3 technique(s) - T1190: Exploit Public-Facing Application 

[11/10/2018] 10:01:28 AM [T1190][INFORMATION]: Found public facing Drupal web host: https://corpdomain.tid/blog 

[11/10/2018] 10:01:35 AM [T1190][INFORMATION]: Drupal 7.46 detected via https://corpdomain.tld/blog/CHANGELOG.txt 
[11/10/2018] 10:01:43 AM [T1190][INFORMATION]: Successfully exploited using Drupalgeddon2 exploit - CVE-2018-7600 

[11/10/2018] 10:01:51 AM [T1190][INFORMATION]: Dropped file: sda32fds.exe (SHAT: f47a48094c1f21fef892127b8b6a7ed2bbf0c29g) 
[11/10/2018] 10:01:52 AM [STATUS]: Waiting for connection from sda32fds.exe 


ail - = 


kerberos 


* Domain : WORKGROUP 
* Password : (null) 
ssp 


Use Case: រ 
ο > mimikatz(commandline) # exit 
Credential Harvesting & ye! 


20/Nov/2018] 13: 
20/Nov/2018] 13 
0c27f) 

[20/Nov/2018] 13:5 
[20/Nov/2018] 13:5 


wow 
co 


Lateral Movements 


0 OO 


1. Uploading / running mimikatz 


(agent #1) >>> cache 

[+] Showing current cache: 
[+] passwords: 

ategory: local 

ype: tspkg 

sername: Administrator 
3. Lateral movements assword: AbCXXXXXXX5 
omain: VSWIN2K8R2SP1BE 


2. Extracting stored credentials 


ategory: local 

ype: wdigest 

sername: Administrator 
assword: Abcxxxxxxx5 
omain: VSWIN2K8R2SP1BE 


ategory: local 

ype: kerberos 

sername: Administrator 
assword: AbCXXXXXXX5 
omain: VSWIN2K8R2SP1BE 


Category: application: proxy 
ype: credman 

Jsername: Administrator 
assword: Abcxxxxxxx5 
omain: VSWIN2K8R2SP1BE 


agent #1) >>> | 


* Username : vswin2k8r2spibe$ 


8:31 PM [T1003][ INFORM 1 ]: End execution: mimikatz.exe 
:32 PM [CLEANUP]: 


Deleted file mimikatz.exe (SHA1: d40348094c1f21fef892f27a8b6a7ed2bb 


2 [T1003] [INFORMATION]: Passwords extracted: 4 
: 34 PM [T1003] [INFORMATION]: Test successful 


Domain: VSWIN2K8R2SP1BE 


Category: local 
Type: wdigest 
Username: Administrator 


Use case: Domain: ean 
Credential Harvesting & on S 


Type: kerberos 
Username: Administrator 
Password: AbCXXXXXXX5 


Late ral Movements den nene. 


Category: application:proxy 
. . . . Type: credman 

1. Uploading / running mimikatz re Administrator 

Password: Abcxxxxxxx5 

S s Domain: VSWIN2K8R2SP1BE 

2. Extracting stored credentials 

(agent #1) >>> lateral 

[28/Nov/2818] 14:32:29 PM [STATUS]: Testing for T1077: Windows Admin Share 

20/Nov/2018] 14:32:29 PM [SHARE-SCAN]: Scasning for shares on: 192.168.1.101, 192.168.1.102 

20/Nov/2018] 14:32:30 PM [T1077 ] [INFORMA 3 : Windows admin$ share detected on 192.168.1.101 

26/Νον/2618] 14:32:31 PM [T1077][INFORMATSev]: Windows admin$ share detected on 192.168.1.102 

26/Νον/ 2618] 14:32:32 PM [T1077][ INFORMATION]: Admin shares enumerated 

20/Nov/2018] 14:32:33 PM [STATUS]: Testing for T1078: Valid Accounts 

20/Nov/2018] 14:32:34 PM [T1078] [INFORMATION]: Testing for passwords retrieved using T1003 

26/Νον/2618] 14:32:35 PM [STATUS]: Windows,admin$ share detected on 192.168.1.101 

] 

] 


3. Lateral movements 


20/Nov/2018] 14:32:36 PM [T1078][INFORMA 3 : Credentials detected administrator :Abcxxxxxxx5 
20/Nov/2018] 14:32:37 PM [STATUS]: Attem ig lateral movement using re-used credentials 
20/Nov/2018] 14:32:38 PM [STATUS]: Testing for T1035: Service Execution 


20/Nov/2018] 14:32:38 PM [T1035][ INFORMATION]: Read psexec.exe location from configuration: \\software\ 
psexec.exe (SHA1: e58d9e3bd91988e13a26b3e23edeaf577fb3a095) 

[20/Nov/2018] 14:32:39 PM [T1035][ INFORMATION]: Attempting remote file copy: copy /y \\192.168.1.100\ds3 
45gfgd.exe \\192.168.1.101\c$\ 
[28/Nov/2018] 14:32:39 PM [T1035 
2.168.1.101 -u administrator -p 


]LINFORMA 3 A: Running command psexec.exe -accepteula -nobanner -d \\19 
AbcxxxxxxxS "C:\ds345gfgd.exe" 

INFORMATION]: Test successful. 

INFORMATION]: End execution: psexec.exe 

1: Deleted file psexec.exe (SHA1: e58@d9e3bd91988e13a26b3e23edeaf577fb3 


26/Νον/2618] 14:32:39 PM [Τ10 


20/Nov/2018] 14:32:3 


39 PM [T103 
[28/Nov/2018] 14:32:39 


[28/Nov/2018] 14:32:40 PM [STATUS]: All tests complete. 


(agent #1) >>> 
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Live View: Password Reuse 


Q Search... 


83 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 


Scan: Password Reuse 100 
Campaign: weakness.compliance.password.reuse 50 EN ២ m EN , ES gl 
Status: InProgress NENNEN 34% 1 


TACTICS . ———e.9 


Initial Access — 
i prs 192.168.1.104 
Execution TT _— © —9 
— | A a E TT 19? 140 1 102 វា >. 192.16B.1.106 
Privilege Escalation Wow a 
Defense Evasion / d pA sem ΙΡ: 192.168.1.101 


X^ 6 more 


View details 


Hostname:  THINKPAD-98689-M710 


Username: | CORP/user1 192.168.1." 


STATUS Processor. Intel (R) CORE(TM) i7-7770 


Breached - 
Safe € — Privileges: administrator 


Error 192.168. 


OPERATING SYSTEM LS ite | na 


Windows 2012 Server 
Windows Server 2012 R2 
Windwos Server 8.1 192.168.1.107 
Windows 7 SP1 

Windows 10 ENTERPRISE 


192.168,1.105 


Y 2more M Breached ^ 192.168.1.101  THINKPAD-98689-M710 


[11/10/2018] 10:01:11 AM [INFORMATION]: QAttack agent initialized via QAgent. Process name: adfg32dsff.exe 
[11/10/2018] 10:01:12 AM [INFORMATION]: Current QAttack agent privileges: user 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Currently logged on user: CORP/user1 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Operating system: Windows 7 SP1 (OS Build 6.1.7601) 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Installed memory (RAM): 12.0 GB 


PE 


Benefits 


Fully and continuously assess 
known and emerging TTPs 
against applications and 
operating systems 


Red Teams scale their 
operations to cover more 
systems with more 
security attack types 


Empirically measure the 
effectiveness of security 
prevention and detection 
tools 


Blue Teams configure 


current tools to perform 
better 


… OF procure new / 
replacement tools 
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p 


Secure Enterprise Mobility 


— 


E 
à. d ’ 
E 47 
ad. f | 
, f … 


Visibility 


Identity (X.509, Asset ID, Device ID) 
Device Hardware 

Network and Interactions 

Apps 

Analytics 


Security Posture 
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DASHBOARD INVENTORY USER 


PROFILES CONFIGURATIONS Qualys Demo (quays.ad) * ប ο) 


Last30Days "| 


AST SEEN ASSET INFORMATION OPERATING SYSTEM SIAIUS INVENTORY [45 
Oct 05, 2018 10:18 AM IST — Mark Android LENOVO Android Enrolled | Active pem ñ 
OPERATING SYSTEM Corporate - Owned 70 865596033698720 tmon 
FAS = nez Modified On: Oct 05, 2018 
" = Oct 04, 2018 06:53 PM IST δείς Android. LENOVO Android | Emoled | Active κο. 
STATUS Corporate - Owned 70 863854038393019 1 mos 
Ready for Re-envoliment 120 ET Modified On: Oct 04, 2018 
id ye Oct 04, 2018 06:46 PM IST — Andy. Android LENOVO Android | Emoled - Active poen 
Corporate - Owned 70 864557031194883 \ mors 
MANUFACTURER Lenovo TAB 7 Modified On: Oct 04, 2018 
KES bh Oct 04, 2018 06:44 PMIST — James_iOS_Apple ios | Emoled | Active pos 
Apple 420 Corporate - Owned 120 353779083466914 [E 
Asus 90 , Modified Orc Oct 04, 2018 
MODE Oct 04, 2018 06:33 PM IST —Richard_i0S_Apple ios Active Les 
810 Corporate - Owned 1125 359497088355545 1 more 
scie 10 Μόν Modified On: Oct 04, 2018 
OWNERSHIP Oct 03, 2018 06:59 PMIST — Michael Android Motorola Android | Emolled | Active រ one 
Corporate - Owned 710 Corporate - Owned 712 911503554758228 i mom 
Employee - Owned 100 Moto 0 (55) Modified On: Oct 03, 2018 
TAGS Sep 28, 2018 06:15 PMIST — William, Android, Asus Android | Emoled | Active J Andros 
Cotporate - Owned 70 358525085658221 mors 
.យា 118 "mm Modified On: Sep 28, 2018 
|^ 420 
p user Lm Sep25,201806:10 PMIST — Charles, Android Asus Android | ដារ | Active J ^ 
p ps Corporate - Owned 711 351558072379425 imn 
ZenFone 2 5 : 
GSC Confer daa im Modified Or: Sep 25, 2018 


sset Details: Station10_Tab1_LENOVO 


asset Summary Asset Summary 
System information 
μων Station10 Tabl LENOVO femme 
Android v7 0 
pps Lenovo Manufacturer / Lenovo TB-7504X 
CA Certificates. 
Securty Tokens Status GRC Unauthorized Root Access 
Logs _ Επ — Non Compan EUIS 
Location Passcode Present Encryption Profiles 
Actions υπ Ἱ EWH z 
Identification Activity 
Asset Name - Lenovo TB-7504X (act Seen Nov 14 2018 1205 PM PST 
Status Erected Enrolled On Oct 9, 2018 1129 AM PST 
Mode Active Modified On: Oct 10, 2018 1129 AM PST 
Ownerstep Corporate - Owned 
Last Location 


North Carolina United States 
Last Seen: Nov 14 2018 12 05 PM PST 


Username 100៥៧8០* - 

P Adres ση λα 
User Emat - 7 
Enrodied with AFW Yes 


5 QSC Conference 
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QSC Conference 


DETECTED OM 


Nov 09, 2018 09 30 PM PST 


0 No Mese) 
10(1) No Found Nov 09, 2018 09-30 PM PST 
1-13 of 13 

DENTIA ΠΑΡΟΝ YiTIM arf K LOCA’ ΜΠΚΙΗΠΙ ON 
Com teamviewertearmviewer marke 14035 (140035) No No Nov 09, 2018 04:37 PM PST 
com koushekdutta inicie 1.0.1.7 (1499133600) Νο No Nov 09, 2018 04:23 PM PST 
com google android inputmethod |a — 7712219999447(2 Yes No Nov 09, 2018 12:49 PM PST 
com google android gm 81021 2201878351. Yes No Now 09, 2018 12:49 PM PST 
nfo oneassist v25 (29) No No Nov 09, 2018 12:32 PM PST 
com.google android apps.chromec — 26.6.19 (20606190) Νο No Nov 09, 2018 10-12 PM PST 
com google android apps.maps 1031(1003101040) — Yes No Nov 08, 2018 10:26 PM PST 
com google android videos 48.20.18 (40820181) Yes No Nov 06, 2018 10:40 PM PST 
com.oneplus. gallery 21010(22270465) Yes No Now 06, 2018 10.40 PM PST 
com google android apps. docs 2184320440(1843 Yes No Nov 06, 2018 10:29 PM PST 
de silabs snoopsnitch 207(35) No No Nov 05, 2018 12:02 PM PST 
com google android youtube 1344 51 (134451340 . Yes No Nov 05, 2018 11:28 PM PST 
com android vending 1241491 [O}[PRI21. Yes No Now 05, 2018 11:35 PM PST 


Uninstall 


Uninstall 


Uninstall 


Uninstall 


Uninstall 
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Vulnerability Management 
Asset Lockdown 
Securit 
y Asset Hardening 


Enterprise Integrations 
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Compliance Policies 
— On Enrollment 
- Continuous Monitoring 


Protection Enforcement and Remedial Actions 
Policy Management 
Containerization 
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< Asset Details: Station10_Tab1_LENOVO 


Security Tokens 


Actions 


Locks the screen of the asset. Asset will be unusable until à is unlocked 


Send a message to the user of the asset The message will be sent as a Push Notification 


Poll Mode: Asset will communicate to the Qualys server after the specified regular interval 
Push Mode: Qualys server will communicate to the asset only when a new action is scheduled for the asset 


Asset will buzz and current geolocation will be sent to the server, provided Location Services are enabled 


Sync on demand asset information. 


Asset will be de-enrolided and server will not be able to communicate with the device. Also, corportae data on the 
asset will be deleted. 


Asset will be factory reset. Server will no longer be able to communicate with the asset 
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Privacy 


DIY Portal 
Audit Control 
Ownership (Corporate/BYOD) 


Transparency 
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Feb 2019 - Closed Beta 


Roadmap 


Multiple releases during 2019 
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Security Analytics and Orch 


N 
> 
| B 
| 
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Security Analytics & Orchestration 


Human Guided Policy-Driven Response Response Correlation 
& g Cross-Product Correlation 
Playbooks for Bi-Dir Ecosystems 


i Orchestration Enrichment 
Integration 


Additional Context from 33 Party Sources 


BYOP- Bring-Your-Own-Playbook Detect KNOWN threats w/ out-of-box rules 


Advanced Analytics 


Detect UNKNOWN threats Using Machine Learning 
Hacker Behavioral Analytics 


Predictive & Prescriptive SoC 
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Security Analytics & Orchestration Apps 


ML/AI Service Orchestration & Automation UEBA 
Patterns | Outlier | Predictive SoC cosystems Integration | Playbooks | Response User & Entity Behavior Analytics 


Threat Hunt Security Analytics Advanced Correlation 
Search | Exploration | Behavior Graph Anomaly | Visualization | Dashboard Actionable Insights | Out-of-box Rules 


Qualys Security Data Lake Platform 


Data Ingestion | Normalization | Enrichment | Governance 


X cw 


Network Security Server Endpoint Apps Cloud 


Qualys Apps 
Qualys Quick Connectors 
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Characteristics of Data Lake 
we 
Collect Anything Dive in Anywhere Flexible Access Future Proof 


© Qualys 


What is Security Data Lake? 


Single data store (single source of truth) 


Structured and unstructured data 


Data is transformed, normalized, and enriched 


Threat Intelligence feed integration, GeolP etc. 
Data has governance, semantic consistency, and access controls 


Store-once / Process-once / Use-multiple 
Apps, dashboards, data analytics 


Cross product search, reporting, visualization 
Machine learning, forensics, etc. 


© Qualys. 


Simplified View 


SECURITY LOGS 
FROM MULTIPLE 


BEHAVIOR 
SOURCE 


ANALYTICS 


οιουῦ THREAT 
CONNECTORS 


HUNTING 
DATA DATA AGGREGATION DATA VISUALIZATION 
VALIDATION 


SECURITY 
| B ANALYTICS 


DATA NORMALIZATION ML/AI RESTFUL API 
κ ü MODELLING SERVICES 
LOG 


ORCHESTRATION 
CONNECTORS AUTOMATION 


350 PARTY 
4 QUALYS SECURITY DATA LAKE PLATFORM INTEGRATION 


AD/LDAP/HRMS 
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| Qualys Apps 


| Graphs/Topology Dashboards Search & correlation Cyber threat hunting 
| Orchestration, Automation & Alerting Anomaly detection User & entity behavior analytics 


FIM, IOC, Patch | 
iN. n រ 


| presto ο. Co PHOENX be pes) druid Z) Dgraph x X i 
I 


Cloud Agent 


Cloud Apache Kylin” HBASE 
Agent I KE Tensor 
al 
| m | m> 
CAMS : API 
| Gateway 


NS យយ 1 
- Spark. Apply eo 


validation Apply any 
Data Marts — 
Dimension + 
Aggregation 


. validations 
cleansing 


OMAMZAMBDCA 


Normalize 


r ref 
failles Cross re 
Meta data Enrichment 
processing 


sync pipeline 


| Object Storage 
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Thank You 
& 
Closing Remarks 


Sumedh Thakar 
Chief Product Officer, Qualys, Inc. 


